Modern, soundly-run business organizations impose internal control mechanisms on material business functions, such as financial transactions, sales, and purchases, to prevent fraud, embezzlement, errors, and abuse and to promote accountability between employees. One of the most fundamental internal control mechanisms is the establishment of segregation of duties (SOD) (also referred to as “Separation of Duties”). The purpose of SOD is to ensure that more than one person is required to complete a task that is subject to abuse. To implement a SOD on a given business function, the function is divided into separate, necessary steps or activities, and the steps or activities are assigned to different persons or organizations. SOD mechanisms often segregate not only who has authorization to conduct a particular transaction, but also who has authorization to retrieve or record financial information concerning that transaction. As most large modern businesses use large enterprise resource planning (ERP) systems to integrate the data and processes of the business into a unified system, it is critical that SOD controls be incorporated into the company's ERP system.
As employees join and leave a business organization, or get promoted or given new assignments within that organization, the organization's ERP system must be continually updated to provide those employees with the necessary authorizations to perform their assigned tasks, and to delete those authorizations they no longer need. Over time, the originally well-designed internal controls implemented by a system can become outdated, creating new opportunities for fraud and abuse. Therefore, as people join and leave and move about within a company, it is important that companies routinely carry out SOD analyses to ensure that their internal control mechanisms are maintained.
Furthermore, as a business grows into new areas, or as previously unanticipated abuses or internal control failures are discovered, businesses need to continually revise and refine their internal controls and develop new SOD mechanisms to prevent further failures. As a company's internal controls grow more sophisticated and complex, the task of undertaking a SOD analysis grows exponentially more complex.
Standard methodologies for performing SOD analyses are tedious, cumbersome, and inadequate. One approach to a SOD analysis is to have persons versed in a database language painstakingly draft queries—sometimes thousands of queries—that are run to produce result sets or reports identifying potential SOD violations. Some SOD tools provide numerous predefined SOD queries, but the process lacks an adequately visually intuitive or user-friendly interface for setting up the SOD analysis or visualizing the results of the SOD analysis.
To address these problems, the inventor undertook to develop a more intuitive interface for setting up the SOD analysis and for visualizing the results of a SOD analysis. In particular, he developed a user interface that uses Venn, Euler, or Veitch diagrams or derivatives or equivalents thereof to depict potential Segregation of Duty (SOD) problems or violations and unauthorized access across a business's Enterprise Resource Planning (ERP) applications. An interesting and insightful discussion of Venn diagrams is set forth in the following article, which is herein incorporated by reference: Frank Ruskey and Mark Weston, “Venn Diagrams,” The Electronic Journal of Combinatorics (edition dated Jun. 18, 2005).